The Endless Need for Employee Education and Awareness in Cybersecurity

When employees of tech giants Google and Facebook, arguably amongst the most inviolable when it comes to scamming and certainly amongst the most updated when it comes to security awareness, fell for a phishing scam in 2015 ⁽¹⁾ that resulted in approximately USD 100 million being lost, heads in the cybersecurity world turned and almost rolled.

Lithuanian scammer Evaldas Rimasauskas, working with associates, set up a fictitious company and impersonated another in a phishing scam that had authorized employees of the two companies to pay out millions of dollars under the impression that they were effecting genuine payments to a major vendor of the organizations. When Google discovered the fraud, it came to light that the perpetrator had opened hundreds of fake email accounts, forged bank documents, and raised fake invoices. Though both Google and Facebook recovered most of the funds that were misappropriated, the lesson that phishing scams can affect anybody was not lost.

The case for employee awareness

Forbes says that human-related causes are responsible for 95% of cybersecurity breaches ⁽²⁾, a figure that more than emphasizes the importance of having a robust security culture at the employee level in place. Verizon’s 2022 Data Breaches Investigations Report ⁽³⁾ shows 82% of data breaches involve a human element, with incidents ranging from database misconfiguration to slipping up while on the network, thereby allowing cybercriminals to gain access to organizational systems.

TechTarget’s infographic ⁽⁵⁾ seals the argument for employee awareness where cybersecurity is concerned – giving eye-opening statistics on employee ignorance, casual approach, lack of diligence, and sheer carelessness.

• 43% of employees are not aware that clicking a suspicious link or opening an unknown attachment in an email is likely to lead to a malware infection
• 1 in 4 believe it’s acceptable to use a personal cloud server to transfer work from home as long as the cloud service performs a pre-emptive virus scan
• 48% of malicious email attachments are Microsoft Office files, often disguised as an invoice or receipt
• 1 in 3 believe that not securing their laptop or mobile devices with a password represents little to no security risk.
• 39% say it’s a good idea to reply to a potential social engineering attempt, asking for clarification or information from the possible scammer
• 59% are not fully confident they could identify a social engineering attack
• 24% believe it’s safe to download third-party mobile apps that don’t access corporate data

In terms of costs, the damage can be devastating. The laxity in employee awareness and approaches are hurting organizations and literally spurring a lucrative field for scammers and cybercriminals. A Proofpoint-sponsored report by the Ponemon Institute, the 2021 Cost of Phishing Study ⁽⁴⁾, put the average annual cost of a phishing scam in 2021 at $14.8 million for a 9,600-employee organization, or slightly more than $1,500 per employee – an amount that has tripled since 2015.

The need cannot be overstated

Statistics aside, humans represent one of the weakest links in cybersecurity in the face of increased complexity of cybersecurity threats. The case is not helped by the fact that today there are an estimated  15 billion devices in circulation ⁽⁶⁾ —including computers, servers, and mobile phones operating worldwide – a figure that is estimated to rise to 19 billion by 2025. Digital fluency and literacy are transforming the cybersecurity landscape, with devices constantly performing many functions, some of which we are not even aware of. These include tracking and storing real-time location, saving passwords and information shared with apps, and listening to our conversations.

Employee Education and Awareness of Cybersecurity is a critical issue that affects businesses of all sizes and industries. It’s therefore more important than ever to ensure that employees are educated and aware of the potential risks and threats they may face at the front end of the organizations they represent.

Cybersecurity awareness involves being mindful of the dangers of browsing the web, checking email, and interacting online – things that happen regularly in daily life.

From awareness to culture

It is important that cybersecurity awareness leads to a cybersecurity culture, and if these practices are to be effective on professional and personal levels they must become a way of life. A good security culture is expressed by an organization’s collective awareness and behaviors. It reduces the risk of attacks and operationalizes employees as the last line of defense. Studies have shown that organizations with a strong cybersecurity culture have reduced the incidence of cyber incidents, higher visibility of potential threats, and greater post-attack resilience.

Security awareness is brought about by investing in training and ongoing education, anchored by a clear understanding on the part of the employee as to how a security culture and best security practices benefit them.

Embarking on cybersecurity training

Cybersecurity training can be customized to suit your organization’s needs. It is important to remember that the training represents an investment, the result of which will be seen over a period of time. When it comes to the bottom line, even a small investment in cybersecurity awareness and training drives a positive ROI. Effective training programs adopt an employee-first approach, tailoring the training to ensure relevance and suit departmental needs.

While most pieces of training are done on a periodic basis, it is not uncommon for training to be undertaken at specific junctures or to suit specific needs. These could include the following.

• Framework-specific training: undertaken for example when the organization wishes to implement new standards
• Industry-specific training: undertaken when the training is required by the industry to which the organization belongs
• Onboarding training: undertaken specifically when an employee joins the organization
• Refresher training: undertaken at specific intervals and characterized by test, quizzes and concluded with a ‘Certificate of Completion’.

It is very important that the training is engaging, lest repeated training exercises lead to boredom and a carefree attitude. The use of competitions and incentives like ‘Cybersecurity Employee of the Month’ are some of the ways used to make training more engaging.

Areas to address

Some of the main areas to address where employee cybersecurity training and awareness go are :

• Phishing Scams: A type of social engineering attack, phishing is routinely used to trick employees into clicking on malicious links in emails that result in the exfiltration of organizational and personal data. Forbes Advisor ⁽⁷⁾ estimates that as much as 94% of phishing scams are delivered via email. Organizations need to pay special attention to this area, so employees do not fall prey to the tempting offers that such scams proffer.
• Password Management: Organizations need to inculcate in employees a strong sense of awareness as to password strength ⁽⁸⁾, as compromised passwords almost always result in exfiltration and loss of data, which can prove disastrous.
• Cloud Security: Almost all organizations and netizens today routinely use the cloud to store data. Yet the cloud, like on-premise storage devices, is also vulnerable to cyberthreats ⁽⁹⁾. Employee awareness and training in cloud security best practices is another important area that will contribute to a good security culture.
• Machine Learning and AI: Both very effective tools for automation and threat management, these new-age tools can also be susceptible to malware. It is a good practice for employees to be made aware of the dangers inherent in these tools.
• The Internet of Things (IoT) and secured networks: Humongous growth in IoT devices has exponentially increased cybercrime attack surfaces. With WFH becoming the new normal to a great degree, employees need to imbibe a security culture that makes them use VPNs rather than unsecured home Wi-Fi systems.

Conclusion

Employee awareness, education, and training are key elements of an organization’s security strategy and posture. Adopting a training mindset will help organizations develop a workforce that is abreast of potential threat scenarios, leading ultimately to a robust security posture that safeguards organizational and personal data and mitigates, if not eliminates losses.

Simply stated, organizations that train, gain!

References

• Phishing email scam stole $100 million from Facebook and Google (cnbc.com)
• Five Cybersecurity Predictions For 2023 (forbes.com)
• How Providing Staff Awareness Training Improves A Company’s Security Posture (forbes.com)
• Cost of Phishing Scams Triples Since 2015 | Proofpoint US
• 7 security awareness statistics to keep you up at night | TechTarget
• How To Inspire Employees To Care About Cybersecurity (forbes.com)
• Cybersecurity Awareness: What It Is And How To Start – Forbes Advisor
• PASSWORD FATIGUE – WHAT’S NEXT?  | Aurora (aurorait.com)